Re: [fw-wiz] An interesting VPN problem

From: Patrick M. Hausen (
Date: 08/29/03

  • Next message: Ben Nagy: "RE: [fw-wiz] IPSEC behind 5XT"
    To: Jonas Anden <>
    Date: Fri, 29 Aug 2003 08:52:44 +0200 (CEST)

    Hi all!

    > Hi all you Wizes out there. I've got a bit of a problem that I think you
    > might help me solve...

    Unfortunately I don't know PIXen, but I think I can give you
    two general directions to investigate:

    > I've got two Cisco PIX 501 with the latest software (6.3.1). We're
    > trying to use them to set up a remote site with *all* client traffic on
    > the remote network being redirected through the site-to-site tunnel
    > (including the traffic that should ultimately end up on the Internet).
    > Traffic from the remote network not targeted for the local network
    > should be routed through a firewall reachable from the local network.
    > My network looks like this:
    > [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
    > | |
    > +-->[L-PIX]<-+

    So, if the PIXen only do site-to-site VPN and you want all your
    internal-to-Internet traffic to leave through the firewall at L-Site,
    you could use something called policy routing. As I said, I don't know
    if PIXen are "IOS'y" enough, but I did it in a couple of places
    with Cisco routers like this:


    interface tun0
     descr tunnel to R-NET
     ip route-cache policy
     ip policy route-map vpn-to-internet

    route-map vpn-to-internet permit 10
     match ip address 101
     set ip next-hop <insert internal IP of firewall here>

    access-list 101 remark match traffic that comes out of R-NET and is not (!) directed to L-NET
    access-list 101 deny ip <R-NET> <R-NET-INVERSE-MASK> <L-NET> <L-NET-INVERSE-MASK>
    access-list 101 permit ip <R-NET> <R-NET-INVERSE-MASK> any

    Works like a charm, but I think in your case that's waaaaayyy to
    complicated, because - if I understood you correctly - you can achieve
    the same with simple routing:

    Why should L-PIX know about "the Internet" at all? (read: why should
    it have a default route pointing to the Internet?)

    Set up your routing tables on the PIXen like this:


    Host route for external IP address of L-PIX directed to "the Internet"
    Default route to tunnel


    Host route for external IP address of R-PIX to "the Internet"
    Network route for R-NET to the tunnel
    Default route to _internal_ IP address of firewall


    Network route for R-NET to internal IP address of L-PIX
    (you probably have that already)


    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Ben Nagy: "RE: [fw-wiz] IPSEC behind 5XT"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    • Re: One computer on 2 networks
      ... On the server take the new "internet Nic" and set it up properly for the ... Create a static route in the OS's routing table that uses the LAN Router ... don't work in the Network Admin Dept. I'm a developer. ...
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
    • Re: Entire Network
      ... Internet access is different and just because a firewall isn't ... Second, if it isn't the firewall, then often it is a case of the system ... any way a network guru. ... > The network connection works just fine from both computers for internet ...